January 4, 2021
Russian Cyber Units
Russia has deployed sophisticated cyber capabilities to
ranging from election interference in the 2016 U.S.
conduct disinformation, propaganda, espionage, and
presidential election to multiple damaging cyberattacks.
destructive cyberattacks globally. To conduct these
The units’ public profile underlines a high operational
operations, Russia maintains numerous units overseen by its
tempo. The GRU also reportedly controls several research
various security and intelligence agencies. Russia’s security
institutes that help develop hacking tools and malware.
agencies compete with each other and often conduct similar
Observers have noted an apparent willingness by GRU
operations on the same targets, making specific attribution
cyber units to conduct brazen and aggressive operations,
and motivation assessments difficult. Congress may be
sometimes with questionable levels of operational security
interested in the various Russian agencies, units, and their
and secrecy. Collectively, these units are sometimes
attributes to better understand why and how Russia
referred to as APT (Advanced Persistent Threat) 28, Fancy
conducts cyber operations.
Bear, Voodoo Bear, Sandworm, and Tsar Team.
Early Russian Cyber Operations
Unit 26165: Unit 26165 is one of two Russian cyber groups
According to media and government reports, Russia’s
identified by the U.S. government as responsible for
initial cyber operations primarily consisted of Distributed
hacking the Democratic Congressional Campaign
Denial of Service (DDoS) attacks and often relied on the
Committee, Democratic National Committee, and
co-optation or recruitment of criminal and civilian hackers.
presidential campaign of Hillary Clinton. Media and
In 2007, Estonia was the target of a large-scale cyberattack,
Western governments also have linked Unit 26165 to cyber
which most observers blamed on Russia. Estonian targets
operations against numerous political, government, and
ranged from online banking and media outlets to
private-sector targets in the United States and Europe.
government websites and email services.
Unit 74455: Unit 74455 has been linked to some of
Shortly thereafter, Russia again employed DDoS attacks
Russia’s most brazen and damaging cyberattacks. The U.S.
during its August 2008 war with Georgia. Although Russia
government identified Unit 74455 as responsible for the
denied responsibility, Georgia was the victim of a large-
coordinated release of stolen emails and documents during
scale cyberattack that corresponded with Russian military
the 2016 U.S. presidential election. As opposed to primarily
actions. Analysts identified 54 potential targets, (e.g.,
focusing on penetrating systems and collecting information,
government, financial, and media outlets), including the
Unit 74455 appears to have significant offensive cyber
National Bank of Georgia, which suspended all electronic
capabilities. DOJ alleges Unit 74455 is responsible for
operations for 12 days.
numerous malicious cyberattacks. In October 2020, DOJ
indicted members of GRU Unit 74455 for numerous
Russian Security and Intelligence
cyberattacks, including the 2017 NotPetya Malware attack.
Agencies
In June 2017, malware was deployed against numerous
Over the past 20 years, Russia has increased its personnel,
targets in Ukraine. The malware soon spread globally,
capabilities, and capacity to undertake a wide range of
causing significant damage to countries and businesses
cyber operations. No single Russian security or intelligence
beyond Ukraine.
agency has sole responsibility for cyber operations.
Observers note that this framework contributes to
Foreign Intel igence Service
competition among the agencies for resources, personnel,
The Foreign Intelligence Service (SVR) is Russia’s primary
and influence, and some analysts cite it as a possible reason
civilian foreign intelligence service. It is responsible for the
for Russian cyber units conducting similar operations,
collection of foreign intelligence using human, signals,
without any apparent awareness of each other. Additionaly,
electronic, and cyber methods. Most observers
some agencies appear to prioritize the development of in-
acknowledge the SVR operates with a strong emphasis on
house capabilities, whereas others look to contract outside
maintaining secrecy and avoiding detection. Most cyber
actors for operations.
operations reportedly linked to the SVR have focused on
collecting intelligence as opposed to causing damage
Military Intel igence
through cyberattacks. The SVR also is known to have high
The Main Directorate of the General Staff, commonly
levels of technical expertise, often seeking to gain and
referred to as the GRU, is Russia’s military intelligence
retain access inside compromised networks. The SVR is
agency. The GRU has been implicated in some of Russia’s
sometimes referred to as APT 29, Cozy Bear, and the
most notorious and damaging cyber operations. Media
Dukes.
reporting and U.S. government indictments identify two
primary GRU cyber units. The U.S. Department of Justice
Analysts and observers have recognized the SVR as highly
(DOJ) has charged personnel from both units for actions
capable and professional. In contrast to GRU cyber units,
https://crsreports.congress.gov
Russian Cyber Units
the SVR appears focused on collecting intelligence and
Federal Protective Service
remaining undetected once it gains access to targeted
The Federal Protective Service (FSO) is responsible for the
networks. The U.S. government identified the SVR as one
physical and electronic security of the government and
of two Russian cyber units responsible for hacking into
government personnel. As such, it has extensive signals and
political campaigns during the 2016 U.S. presidential
electronic capabilities to ensure the security of Russian
election. Despite the focus on operating clandestinely, in
government communications. The FSO appears primarily
2018, a Dutch newspaper reported that Dutch intelligence
concerned with the defense of Russian government
compromised the SVR’s infrastructure and provided crucial
networks, and there is no indication it has launched
information to the U.S. government. Private cybersecurity
offensive operations.
firms noted that in the following years, the SVR decreased
its activity. The SVR’s activity reportedly has increased
Internet Research Agency
since, and the unit has been linked to numerous
The Internet Research Agency is a private organization,
cyberespionage operations. Most recently, reports link the
funded by close Putin confidant Yevgeniy Prighozin, which
SVR to cyberespionage on COVID-19 vaccine research and
has supported Russian government disinformation and
the tools of cybersecurity firm FireEye. Reports also link
propaganda operations. Often referred to as a troll farm or
the SVR to the SolarWinds attack that reportedly
troll factory, this group has focused on disinformation by
compromised many U.S. government agencies.
impersonating domestic activists and people, primarily
through various social media channels . In 2018, the U.S.
Federal Security Service
government indicted the Internet Research Agency and its
The Federal Security Service (FSB) is Russia’s primary
personnel for efforts to sow discord and influence the U.S.
domestic security agency responsible for internal security
political system, including during the 2016 presidential
and counterintelligence. Its missions include protecting
election.
Russia from foreign cyber operations and monitoring
domestic criminal hackers, a miss ion jointly undertaken
Russian Cyber Weaknesses
with Department K of the Ministry of Interior. In recent
Russia faces significant challenges in cyber operations,
years, the FSB has expanded its mission to include foreign
despite its capabilities and high operational tempo. Many of
intelligence collection and offensive cyber operations.
these challenges are not unique to Russia but still present
hurdles to further growth of Russia’s cyber operations.
Media reporting has documented close connections between
the FSB and criminal and civilian hackers , which the FSB
Like other government agencies, Russian security services
reportedly uses to augment and staff its cyber units. The
face challenges recruiting qualified personnel. Private-
FSB can coerce civilian and criminal hackers into working
sector opportunities and rival agencies compete for talent.
as contractors with the threat of imprisonment. DOJ has
As noted, this often causes Russian security services to
indicted multiple Russian hackers for a variety of criminal
outsource operations to civilian and criminal hackers or to
and state-sponsored cyber activities. Many of these
purchase malware.
indictments describe the close relationship between
criminal hackers and the FSB. These indictments and media
Russia’s security services also are known for high levels of
reporting describe a relationship where civilian and
corruption. Russian security and intelligence agents have
criminal hackers can conduct freelance commercial
been unmasked and identified through information often
operations in return for assisting the FSB. FSB hackers are
reportedly sold by corrupt security officers. Most recently,
sometimes referred to as Berserk Bear, Energetic Bear,
media outlets identified the FSB agents reportedly
Gamaredon, TeamSpy, Dragonfly, Havex, Crouching Yeti,
responsible for the assassination attempt of Russian
and Koala.
opposition figure Alexei Navalny from purchased data.
One FSB team reportedly focuses on penetrating
Observers also note corrupt Russian officers conduct
infrastructure and energy-sector targets. In contrast to other
cyberattacks for personal enrichment. Domestic hackers
hacking teams, most operations linked to this team appear
have targeted Russian government personnel with
to be reconnaissance or clandestine surveillance. The
embarrassing leaks of emails and correspondence. Shaltai
targeting of the energy sector has raised concern within the
Boltai (Humpty Dumpty in Russian), or Anonymous
U.S. government. The Department of Homeland Security
International, acquired and sold private information of
and the Federal Bureau of Investigation have documented
Russian officials from 2013 to 2016 and reportedly
the unit’s reconnaissance and noted the possibility of
coordinated with FSB officers who were subsequently
inserting malware to cause damage in an attack. The U.S.
arrested for treason.
government also has linked the unit to attempts to penetrate
state and local government networks in 2020.
For more information see CRS Insight IN11559,
SolarWinds Attack—No Easy Fix, by Chris Jaikaran; CRS
Media reporting indicates another active and sophisticated
Report R46616, Russian Military Intelligence: Background
FSB unit is capable of manufacturing its own advanced
and Issues for Congress, by Andrew S. Bowen; and CRS In
malware tools and has been documented manipulating
Focus IF11625, Russian Armed Forces: Military Doctrine
exposed malware to mimic other hacking teams and conceal
and Strategy, by Andrew S. Bowen.
its activity.
Andrew S. Bowen, Analyst in Russian and European
Affairs
https://crsreports.congress.gov
Russian Cyber Units
IF11718
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permissio n of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11718 · VERSION 1 · NEW